IT Security For Libraries

IT Security For Libraries

LISTen: An LISNews.org Program -- Episode #229

This week's episode looks around the LISHost galaxy while looking at some ambiguous information in a speculative manner.

Related links:

Download here (MP3) (Ogg Vorbis), or subscribe to the podcast (MP3) to have episodes delivered to your media player. We suggest subscribing by way of a service like gpodder.net. A way to send gifts of replacement hardware to Erie Looking Productions is available here via Amazon, as always.

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/.

LISTen: An LISNews.org Program -- Episode #228

This week's program deals with Wikipedia hoaxing, an Internet icon, and a miscellany of brief items.

Related links:

Download here (MP3) (Ogg Vorbis), or subscribe to the podcast (MP3) to have episodes delivered to your media player. We suggest subscribing by way of a service like gpodder.net. The list of hardware sought to replace our ever-increasing damage control report can be found here and can be directly purchased and sent to assist The Air Staff in rebuilding to a more normal operations capability.

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/.

Simple tricks websites can use to fingerprint you

The "I Know..." series of blog posts shows relatively simple tricks [malicious] websites can use to coax a browser into revealing information that it probably should not. Firewalls, anti-virus software, anti-phishing scam black lists, and even patching your browser was not going to help.

Fortunately, if you are using one of today’s latest and greatest browsers (Chrome, Firefox, Internet Explorer, Safari, etc.), these tricks, these attack techniques, mostly don’t work anymore. The unfortunate part is that they were by no means the only way to accomplish these feats.

I Know…

SEC4LIB The Place To Learn About IT Security Issues In Libraries

You might be interested in the new(ish) list where we talk about IT Security stuff, SEC4LIB. It's low volume and you'll probably learn a few things about security issues.

You may also like to check out the IT Security For Libraries section here at LISNews: http://lisnews.org/security

Hacker Group Breaches Library of Congress Site, Publishes Passwords

Hacker Group Breaches Library of Congress Site, Publishes Passwords
A group of hackers claims to have breached the official website of the Library of Congress, America’s national library.

The group claiming responsibility, BlitzSec, decried the wildly unpopular US Congress and said it used a SQL injection attack to access the Library of Congress Website's back end database and expose user names, passwords and email addresses. The group has posted data taken from the Library on the file sharing Web site Pastebin.

Are your mobile apps spying on you?

Are your mobile apps spying on you?
Why is this a big deal? Because phone numbers are some of the most personal information available about anyone. They are a semi-permanent unique identification number that also serves as a direct way to reach you at all times. Giving someone else your number means you trust them to not abuse it, call you at 3 a.m. for no reason, or spray paint it on a restroom wall.

But can you trust these Web apps -- especially those that grab your numbers without asking -- to not abuse it? The answer is that we shouldn't have to. Maybe now, thanks to the Path debacle, we won't.

A Research Agenda Acknowledging the Persistence of Passwords

A Research Agenda Acknowledging the Persistence of Passwords
Despite countless attempts and near-universal desire to replace them, passwords are more widely used and firmly entrenched than ever. Our exploration of this leads us to argue that no silver bullet will meet all requirements, and not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use. Among broad authentication research directions to follow, we first suggest better means to concretely identify actual requirements (surprisingly overlooked to date) and weight their relative importance in target scenarios; this will support approaches aiming to identify best-fit mechanisms in light of requirements. Second, for scenarios where indeed passwords appear to be the best-fit solution, we suggest designing better means to support passwords themselves. We highlight the need for more systematic research, and how the premature conclusion that passwords are dead has lead to the neglect of important research questions.

The secret stalker within your phone

If you've ever wondered just what's going on inside some of those apps on your phone, you'll want to take a look at this!
Secret iOS business; what you don’t know about your apps
Developers can get away with more sloppy or sneaky practices in mobile apps as the execution is usually further out of view. You can smack the user with a massive asynchronous download as their attention is on other content; but it kills their data plan. You can track their moves across entirely autonomous apps; but it erodes their privacy. And most importantly to me, you can jeopardise their security without their noticing; but the potential ramifications are severe.

Keeping Current In IT Security

I have a bunch of feeds in my feed reader dedicated to security now. You probably don't need to read that much about security! If so, here's an OPML file: http://lisnews.org/files/security-opml.xml

If that's too much (and it almost certainly is) here are some recommended sources I think you'll find will keep you up to date in the field, and won't overwhelm you with too much information!

Recommended - Easy To Follow:

SANS Newsletters http://www.securingthehuman.org/resources/newsletters/

SANS Reading Room https://www.sans.org/reading-room

Schneier on Security : http://www.schneier.com/blog/

Naked Security – Sophos : http://nakedsecurity.sophos.com/

Security FAQs : http://www.security-faqs.com/

SANS Information Security Reading Room : http://www.sans.org/reading_room/

Security Intelligence: https://securityintelligence.com/

Troy Hunt: http://www.troyhunt.com/

Brian Krebs: https://krebsonsecurity.com/

Recommended - More In Depth:

Ars Technica Security: http://arstechnica.com/security/

SC Magazine: http://www.scmagazine.com/

Dark Reading: http://www.darkreading.com/

InfoWorld: http://www.infoworld.com/category/security/

SoftPedia: http://news.softpedia.com/cat/security

TechRepublic: IT Security : http://www.techrepublic.com/topic/security/

Threatpost: https://threatpost.com/

Packet Storm : http://packetstormsecurity.org/

Security Bloggers Network : http://www.securitybloggersnetwork.com/

Recommended - Podcasts:

http://grc.com/securitynow.htm

http://www.defensivesecurity.org/

http://www.pvcsec.com/

http://www.southernfriedsecurity.com/

(Updated March 30 2016)
Thanks to Tracy Maleeff for her help updating this list.

15 tips for social media security in libraries

This is part Nine in my many part series on IT Security In Libraries.
Part 8 was the first half of this post, Social Media Security In Libraries
In Part 7 I listed many lists full of practical advice that covered just about everything dealing with IT security in libraries.
Part Six was really the first part of this post. I dealt with security in libraries, mostly theory, while this post is more practical, and is mostly lists.
In part 5 I covered 20 Common Security Myths, and how to defeat them.
Part 4 was a general "How To Stay Safe Online" post that covered topics like patching/updating, watching links and downloads, and using good passwords.
In Part Three I covered passwords.
In part 2 we talked privacy.
In Part One I tried to lay the foundation for security.

It is important all users understand there are real threats posed by social media sites. I'm not trying to scare you into hiding in a cave here, but you should know places like Facebook and twitter are infected with bad guys who are working hard to cause trouble for all of us. Those bad guys will try to connect with as many people as possible, creating a sense of trust that makes it easier to use people to carry out their plans. Common schemes include things like social media identity theft, taking over of a brand's social media presence, phishing, viruses, worms, and just about any other common online risk. I've collected 15 common and easy tips to make your social media sites as secure as possible.

Social Media Security In Libraries

This is part Eight in my many part series on IT Security In Libraries. In Part 7 I listed many lists full of practical advice that covered just about everything dealing with IT security in libraries. Part Six was really the first part of this post. I dealt with security in libraries, mostly theory, while this post is more practical, and is mostly lists. In part 5 I covered 20 Common Security Myths, and how to defeat them. Part 4 was a general "How To Stay Safe Online" post that covered topics like patching/updating, watching links and downloads, and using good passwords. In Part Three I covered passwords. In part 2 we talked privacy. In Part One I tried to lay the foundation for security. Libraries and librarians are fully embracing social media sites like Twitter, LinkedIN and Facebook. Our libraries use them to connect with and engage our patrons, increase library visibility and communicate information. We each use them to connect with old friends, sell ourselves, stay up to date with the world around us, and keep in touch with family. There are serious security risks involved with most social sites that can be avoided by following some very simple rules. The bad guys are finding it very easy to use these sites to cause trouble. Scammers, stalkers, phishers, spammers, hackers and every other kind of evil doer on the internet are finding new ways to get into our social networks every day. They are using links to spread malware and spam, and they're always one step ahead. They're using it to fill social media sites with evil, e.g. chat bots, captcha crackers, malware, spam, control botnets, blackhat SEO, etc…

Practical IT Security In Libraries

This is part Seven in my many part series on IT Security In Libraries.
Part Six was really the first part of this post. I dealt with security in libraries, mostly theory, while this post is more practical, and is mostly lists.
In part 5 I covered 20 Common Security Myths, and how to defeat them.
Part 4 was a general "How To Stay Safe Online" post that covered topics like patching/updating, watching links and downloads, and using good passwords.
In Part Three I covered passwords.
In part 2 we talked privacy.
In Part One I tried to lay the foundation for security.

Let's face it, security is tough in libraries. We have no shortage of access points. We deal with any number of vendors, who may or may not be secure. Threats come from within the libraries (patrons), and from external sites anywhere in the world. Our patrons are bringing in all sorts of Wi-Fi enabled things. And any new security stuff we want to add will get push back from our coworkers, and cost money that's not in the budget. In this post I've created a bunch of random, though related, lists that can be used to help get started with security in your library. It's a follow up and companion to Integrating IT Security In Your Library and should help put some of that theory into practice. You probably won't need every point from every list, but I'm hoping presenting them in this way will save you time, and start you on the path to increasing security. I hope to expand each list into a full length post in the future.

Integrating IT Security In Your Library

This is part Six in my many part series on IT Security In Libraries. In part 5 I covered 20 Common Security Myths, and how to defeat them. Part 4 was a general "How To Stay Safe Online" post that covered topics like patching/updating, watching links and downloads, and using good passwords. In Part Three I covered passwords. In part 2 we talked privacy. In Part One I tried to lay the foundation for security. Today's post is long on theory. I'll argue that most any library can be a target, and present some ideas on how to make things more secure in your library.

20 Common Security Myths

This is part five in my many part series on IT Security In Libraries. Part 4 was a general "How To Stay Safe Online" post that covered topics like patching/updating, watching links and downloads, and using good passwords. In Part Three I covered passwords. In part 2 we talked privacy. In Part One I tried to lay the foundation for security.

Today's post is short and sweet, 20 myths I've run across while working on the series. I've tried to include a link on most of them that explains why something is wrong.

Staying Safe Online

This is part four in my many part series on IT Security In Libraries. In Part Three I covered passwords. In part 2 we talked privacy. In Part One I tried to lay the foundation for security.

Today's post is a big bunch of tips (in convenient list form) on how to keep yourself safe while surfing the web. A bundle of easy practical tips you can take anywhere to make your computers safer. This is a pretty long list that can be boiled down to three important bullet points:

  • Keep everything patched and updated
  • Never trust anything
  • Use good passwords

Practical Advice On Choosing Good Passwords

This is Part Three in my many part series on IT Security In Libraries. In Part One I tried to lay the foundation for security. Last time we talked privacy, and today it's passwords.

A comment on an LISNews post from last week asked me about passwords. It seems like such simple, obvious topic, but when you stop and think about it, passwords are difficult, and a good answer does indeed take 1,399 words.

Do you always use unique passwords? Are those passwords always "strong"? Does your library's web presence require strong passwords for all users? Do you have password recommendation clearly posted on your web resources for your users? What makes a good password? Are complex passwords the most secure? Is it uniqueness? Is length the most important thing in a password? I'll start by saying the single most important thing is uniqueness, never reuse a password on everything.

Practical Tips For Online Privacy

This is Part Two in my many part series on IT Security In Libraries. In Part One I tried to lay the foundation for security. This week we'll talk privacy, and up next will be a general "Staying Safe Online" that will cover a million and one tips on how to keep you and your computer safe. Privacy is a relative term. That is, the things that I consider important to my privacy, someone else might not care about. As librarians we usually key in on Confidentiality Threats. We want our patrons records safe. We also don't share that information with ANYONE else. In general, we are fierce about protecting our patrons’ privacy. This is something that has always set us apart from everyone else. Amazon won't do it. Google won't do it. Do I even need to say Facebook won't do it? People who come into the library or use our web sites don't worry about what's going to happen with their information (or at least they shouldn't need worry about it). They should know we are doing our best to guard their privacy. Keeping all our IT resources secure should be a large part of guarding that privacy. There are no big events, dead bodies or explosions in privacy violations. It's something that is slowly eroding over time. The troubles are more subtle and are caused by errors, or intential misues and a shocking lack of transparency, accountability and security. We don't think about privacy much, we only think about it when things are going wrong. Most people tend to think privacy isn't very important, and don't give it a second thought. Most companies make money by keeping our information as free as possible so it can be used, shared, and sold. Let’s start this section with some general arguments FOR privacy, some reasons why privacy is so highly valued in our profession:

IT Security For Libraries First In A Series

IT Security In Libraries
8. Social Media Security
7. Practical IT Security
6. Integrating IT Security In Your Library
5. 20 Common Security Myths
4. How To Stay Safe Online
3. Passwords
2. Privacy
1. IT Security Foundations

Today's post is long on theory. I'll argue that most any library can be a target, and present some ideas on how to make things more secure in your library.
My first post will cover privacy, because I think it's closely related to security, and it's something we as librarians take seriously. Then I'll cover a bunch of ways to stay safe online, how to secure your browser, PC and other things you and your patrons use every day. I'll also cover some common security myths. Then we'll talk passwords: everything has a password now, and I want to make sure we all understand what it takes to make your password as secure as possible. Then we'll talk network security for a bit, followed by hardware and PC security. Then I'll focus on security issues that you'll find in your library. And last, but not least, some things I think you'll find interesting that sysadmins do with servers to make things safer for you, and that you'll never see as an end user.

Pages

Subscribe to RSS - IT Security For Libraries